Age verification

ABSTRACT

In one or more examples, a computer system is equipped with an image capture device and at least one processor configured to apply automated age estimation to an image(s) captured with the image capture device. In some examples, the computer system is configured to implement multiple age verification methods, such as automated age estimation in combination with one or more other forms of age verification. In some examples, age estimation is supported by liveness detection to mitigate against attempts to spoof the automated age estimation

TECHNICAL FIELD

This disclosure relates to automated age verification.

BACKGROUND

From time to time people need to prove some aspect of their identity, and often the most compelling way to do this is with a passport or other national photo ID such as a driving license or (in jurisdictions which mandate them) an identity card. However whilst these documents are greatly trusted due to the difficulty involved in making fraudulent copies and their issuance by government institutions, they are also sufficiently valuable that it is preferable not to have to carry them everywhere with us. An important aspect of this is age verification.

Systems for automated age verification are known. For example, in a digital identity service provided under the name “Yoti”, at the time of writing, an image of a user may be captured and transmitted to a back-end service storing user credentials (e.g. passport information) which can then identify the user and verify their age. Facial recognition is used to match a selfie taken by the user with an identity photo on the passport or other ID document.

A user can store selected credential(s), such as an 18+ attribute, with others based on QR codes. The fact that the 18+ attribute is derived from the user's passport or other trusted identity document, which in turn has been matched to the user biometrically, makes this a highly robust automated age verification mechanism.

SUMMARY

In one or more examples, a computer system is equipped with an image capture device and at least one processor configured to apply automated age estimation to an image(s) captured with the image capture device. In some examples, the computer system is configured to implement multiple age verification methods, such as automated age estimation in combination with one or more other forms of age verification. In some examples, age estimation is supported by liveness detection to mitigate against attempts to spoof the automated age estimation.

SUMMARY OF FIGURES

FIG. 1 shows schematically a user purchasing an item from a retailer;

FIG. 2 shows schematically an age verification system;

FIG. 3 illustrates schematically an age verification technique

FIG. 4 illustrates schematically a second age verification technique.

DESCRIPTION

In many situations it is important to be able to verify the age of a person. For example, when the person is attempting to purchase an age-restricted item (such as alcohol) or enter an age-restricted age (such as a nightclub). The exact age limits vary from country to country and are subject to change but, for example, it is illegal in the United Kingdom to sell tobacco products to anyone under the age of eighteen. Traditionally, age verification has been done manually by having an authorized person check a physical photographic identity document which specifies the birth date of the person. However, this can be time-consuming. Furthermore, the customer may not own a photographic identity card, or may not have it on their person.

Take, for example, a customer attempting to purchase an age-restricted product from a retailer. The retailer may have one or more “self-checkouts” (or self-checkout terminals). A self-checkout is an integrated sales point where the customer performs the job of the cashier themselves by scanning product(s) and providing payment. As the customer scans products for purchase, they are added to a virtual “shopping basket”. When the customer has added all the products he or she wishes to purchase to the shopping basket, the customer proceeds to a payment screen and pays for the products. In an example of a prior art system, if one or more of the products is an age-restricted product, the self-checkout will identify this when the product is scanned and prompt the customer to participate in an automated age-verification process.

Systems relating to automated age verification are known. However, these require a person wishing to verify their age to submit a photograph of themselves to a back-end service. This means that the person requires an electronic device such as a smartphone with a network connection. This may not always be the case. Certain embodiments aim to provide an automated age verification method which is able to operate in such circumstances.

In an example, at least one image is captured and processed to determine whether performance of the age-restricted activity is authorized. For example, a camera mounted at or on a computer terminal may capture an image of a person attempting to purchase an age-restricted product. A structure having human characteristics is detected in the image and an estimated human age is determined based on the human characteristics. Further, it is determined whether the structure in the image exhibits at least one liveness characteristic indicating that the human characteristics from which the estimated human age is determined have been captured directly from a living human at the computer terminal. The determination is positive if the estimated human age meets a predetermined age requirement and the structure is determined to exhibit at least one liveness characteristic. The determination is negative if the estimated human age does not meet the predetermined age requirement; the structure is not determined to exhibit at least one liveness characteristic; or the estimated human age does not meet the predetermined age requirement and the structure is not determined to exhibit at least one liveness characteristic.

In other words, the self-checkout determines if the customer is older than the threshold age (i.e. the age limit for purchasing that product) and performs a liveness detection process (described in more detail below to determine whether the entity on which the age detection process is performed is a living human. For example, the liveness test may comprise identifying three-dimensional detail in the image captured by the camera. This makes it harder for the customer to spoof their age, e.g. by holding up a picture of an older person to the camera.

If the customer passes both an age threshold and the liveness test, then the self-checkout can automatically permit the purchase. If not, the self-checkout can initiate a further verification process such as requiring the customer to participate in an automated age-verification process as known in the art (described below with reference to FIG. 3 ). Alternatively or additionally, the self-checkout may prompt an employee of the retailer to perform a manual age verification.

FIG. 1 shows an example of a self-checkout setup 100 in which a customer 101 is using a self-checkout 120 to purchase a product 130. The self-checkout setup 100 may be, for example, located within a retailer. The product 130 in this example is an age-restricted product such as alcohol, tobacco, etc. meaning that the retailer must verify that the customer 110 is old enough to purchase the product 130 before allowing the customer 110 to do so. In other words, there is a threshold age (e.g. eighteen years old) associated with the product 130, and the customer 110 must be this age or older in order to be permitted to purchase the product 130. If the customer 110 is younger than the threshold age, the customer 110 is not allowed to purchase the product 130.

The self-checkout 120 may be provided with a touchscreen 122 as shown in FIG. 1 which allows the customer 110 to interact with the self-checkout 120. A scanner is also provided (not shown in FIG. 1 ) to allow the customer 110 to scan products to add them to a shopping basket, as known in the art. Once scanned, a product is added to a list of items to be purchased which may be displayed on the touchscreen 122. Once the customer 110 has added all the products he or she wishes to purchase to the shopping basket by scanning them, the customer 110 proceeds to a payment screen and provides payment for the products.

A camera 121 is provided (mounted on the self-checkout 120 in this example) for capturing an image of the customer 110. For example, the camera 121 may be arranged to capture images of the face of the customer 110. One or more captured images captured by the camera 121 may be a static image or a video image. In either case, at least one captured image is used to perform an age detection process as described below in relation to FIG. 2 .

FIG. 2 shows an image processing system 200 in accordance with an example. In this example, the system comprises a camera 121, an age detection module 210, a liveness detection module 220, and an output module 140.

The age detection module 210 is operatively coupled to the camera 121 and the output module 140. The liveness detection module 220 is also operatively coupled to the camera 121 and the output module 140.

The camera 121 shown in FIG. 2 is understood to be the camera 121 shown in FIG. 1 . That is, the camera 121 is constructed and arranged to capture images of the customer 110 as described above. The age detection module 210 comprises computer-executable code (software) configured, so as when run on one or more processing units, to perform the steps described herein. The age detection module 210 may be implemented at the self-checkout 120 itself or on a computer device separate from the self-checkout 120. Similarly, the liveness detection module 220 also comprises computer-executable code (software) configured, so as when run on one or more processing units, to perform the steps described herein. The liveness detection module 220 may be implemented at the self-checkout 120 itself or on a computer device separate from the self-checkout 120. The liveness detection module 220 and age detection module 210 as described separately herein, and so it is understood that they may each be implemented on a separate computer device. However, it is not excluded that a single computer device may be configured to implement the functionality of both the age detection module 210 and the liveness detection module 220. The functions represented by modules 210 and 220 can be implemented locally at the self-checkout terminal (or other computer terminal at which the image of the user is captured), or as part of a remote service to which the image is transmitted for processing.

In operation, the camera 121 captures at least one image of the customer 110 which is sent to the age detection module 210. The at least one image is also sent to the liveness detection module 220.

The age detection module 210 is configured to receive image data of the at least one image and perform an age detection process on the at least one image to determine an estimated age of the customer 110. To do so, the age detection module 210 processes the at least one image to detect a structure in the image having human characteristics (e.g. a set of facial points). From this set of human characteristics, the age detection module 210 can determine an estimated human age using techniques known in the art. For example, the age detection module 210 may apply an age classification algorithm based on machine learning techniques known in the art. Other methods of estimating an age of a person from an image of the person are known in the art. In any case, the age detection module 210 generates, using the age detection process, an estimated age for the customer 110. The estimated age may be associated with an error value, e.g. “22 years old±2 years”. The estimated age is sent from the age detection module 210 to the output module 140. Alternatively or additionally, it may be associated with a confidence score.

The liveness detection module 220 may also processes image data of the at least one image to detect a structure in the image having human characteristics. In an alternative example, the liveness detection module may receive the structure having human characteristics from the age detection module 210. In any case, the liveness detection module 220 is configured to determine a liveness attribute indicating the human characteristics have been captured directly from a living human. “Liveness detection” refers to techniques of detecting whether an entity, which may exhibit what are ostensibly human characteristics, is actually a real, living being or is a non-living entity masquerading as such.

The term “image data of a captured image” can refer to all or part of the image itself (raw image data) or data derived from the image (such as a feature vector etc.) in a pre-processing step, which can be performed at the image processing system, or remote from it (e.g. at the computer terminal when remote from the image processing system).

The liveness detection process applied by the liveness detection module 220 comprises checking for the presence of at least one liveness characteristic of the customer 110 from the at least one image of the customer 110. This may be done, for example, by detecting 3D facial structure in the captured image. One specific example of this is involves detecting motion of 3D landmark points on the captured facial structure. That is, in a video image of a moving (e.g. rotating) face, the distances between points such as the eyes, ears, nose, mouth, etc. will be seen to vary in the image as the face moves if the face is indeed 3D. This allows 3D structure to be detected using a 2D camera. Alternatively, 3D imaging can be used, such as stereoscopic imaging, or using infrared arrays etc.

In another example, the image is a video image and the liveness detection module 220 may determine that the customer 110 in the video image is alive by detecting skin colour variations (e.g. blushing or skin colour changes indicative of a heart beat) or some other physiological signal. In general, any test which allows a live human to be distinguished from a non-live but human-like entity (such as a picture of a human) may be used. Alternatively or additionally, the liveness detection module 220 may be configured to determine a liveness of the customer 110 using a separate camera from the camera 121 used by the age determination module 210.

Another form of test is based on “challenge-response”, wherein an output is provided to elicit a response from a user of the self-checkout terminal, and the system checks for an expected response in the image(s). The output may be randomised to make the test harder to spoof. For example, the user may be asked to say a randomly selected word, and the system may check for lip movement matching that word in a captured video image.

International patent application published as WO 2017/025573, which is incorporated herein by reference in its entirety, discloses various forms of liveness test that may be applied to a captured image, any one or more of which (in any combination) can be applied in this context.

In another example, the camera 120 is an infrared camera. In such cases, the liveness detection module 220 may be configured to determine a liveness of the customer 110 using at least one thermal image (thermogram) from the infrared camera. However, where age estimation is performed based on the thermal image, a separate liveness test need not be performed, as noted, because the very presence of human characteristics from which an age can be estimated implies liveness.

In any case, the liveness detection module 220 is configured to generate an indication or whether or not the expected liveness characteristic(s) are present. This indication is sent from the liveness detection module 220 to the output module 140.

The output module 140 receives both the estimated age from the age detection module 210 and the liveness indication from the liveness detection module 220.

Firstly, the output module 140 compares the estimated age with a threshold age and determines, therefrom, if the customer 110 is younger than the threshold age. Note that the estimated age may have an error value associated with it. In these cases, the output module 140 may be configured to determine at least when the customer 110 is definitely older than the threshold age (e.g. even the lowest value within the error is older than the threshold age). That is, a minimum level of confidence may also be required for successful age verification.

If the output module 140 determines that the customer's estimated aged is (definitely) older than the threshold age and that the customer is alive, then the output module 140 may allow the purchase of that item.

Both the liveness and the age estimation can be confidence-based, wherein both attributes must be positive with sufficient confidence, e.g. confidence scores above a threshold.

Allowing the purchase may comprise the output module 140 sending an indication to the self-checkout 120 causing the self-checkout 120 to add that product 130 to the shopping basket. In alternative examples, the self-checkout 120 may function as normal unless it receives any indication from the output module 140. In these examples, the output module 140 may do nothing in response to determining that the purchase should be allowed.

In all other cases, there is some uncertainty as to whether or not the customer 110 is legally allowed to purchase the item. This is because either:

-   -   a) it is not possible to positively determine that the customer         110 is old enough; or     -   b) it is not possible to positively determine that the customer         110 is alive.         That is, the customer 110 may or may not be old enough and/or         the customer 110 may or may not be attempting to cheat the         system (e.g. by presenting a photograph of an older person to         the camera 121). In either case, this means that the customer         110 may or may not be legally allowed to purchase the item, and         so further verification is required.

The output module 140 may first determine if the estimated age cannot be determined to be definitely older than the threshold age and, if so, may not need to consider the liveness state.

The output module 140 may generate an alert (e.g. via a visual or auditory alarm) in response to determining that further verification is required. For example, the alert may be to an employee of the retailer to perform a manual age verification process, e.g. by checking a photographic identity card of the customer 110.

In an alternative or additional example, the output module 140 may instigate a further age verification process which does not require input from an employee of the retailer. For example, the customer 110 may carry an electronic device such as a smart phone with them. Such a device can be used to interact with the self-checkout 120 to perform a further age verification process, as described below with reference to FIG. 3 . Reference is made to International patent application published as WO2016/128569 and United States patent application published as: US2016/0239653; US2016/0239657; US2016/0241531; US2016/0239658; and US2016/0241532, each of which is incorporated herein by reference in its entirety. The further age verification process can be carried out by sharing an age-related identity attribute (e.g. date of birth or 18+ attribute etc.) with the self-checkout terminal as described therein. In this context, a trusted digital identity system provides the attribute, which is also anchored to a passport or other authenticated identity document. The digital identity system and the ID document are both trusted sources of identity information, allowing the identity attribute to be verified by verifying its source. The identity storing process is summarised below in the present context.

FIG. 3 shows the self-checkout setup described above in relation to FIG. 1 . In this example, the customer 110 has a personal electronic device which in this case is a smartphone 300. The smartphone 300 comprises a camera 301. Additionally, FIG. 3 shows a digital identity system 400. The digital identity system 400 and self-checkout 120 are arranged to communicate via a wired and/or wireless connection such as via the Internet. The digital identity system 400 and smartphone 300 are arrange to communicate via a wired and/or wireless connection such as via the Internet.

The digital identity system 400 stores user details such as passport details. Specifically, the digital identity system 400 stores at least an association between a user ID, that user's age and an image of that user. Identity data is stored as individual identity attributes, which constitute digital identities for users of the digital identity system 400. This includes biometric attributes, such as facial images, as well as other identity attributes, and age-related identity attributes in particular.

In step S300, the self-checkout 120 sends a request for a sharing token (a form of credential) to the digital identity system 400. The sharing token is code which is unique to that particular request. This may be performed in response to the customer 110 attempting to purchase an age-restricted item, e.g. this may be performed in response to the customer 110 scanning an age-restricted item, or when the customer 110 attempts to provide payment for a shopping basket containing one or more age-restricted items. Alternatively, it can be obtained any time in advance. The sharing token is associated with the self-checkout terminal within the digital identity system 400.

The sharing token is provided to the self-checkout 120 in step S301. The self-checkout 120 displays the sharing token in a manner which can be captured by a camera or output in some other way that permits capturing by a user device in the vicinity of the self-checkout terminal 120. For example, the sharing token may be displayed as a barcode or QR code on the display screen of the self-checkout 120.

In step S302, the customer 110 captures an image of the sharing token using the camera 301 of the smartphone 300 (or other electronic device).

In step S303, the customer 110 captures a self-image using the camera 301 of the smartphone 300 (or other electronic device). The self-image may be an image of the face of the customer 110 or some other biometric that can be matched to his digital identity.

In step S304, the sharing token captured in step S302 and the self-image captured in step S303 are provided to the digital identity system 400. This may be done directly, as shown in FIG. 3 , if the smartphone 300 is enabled with a wireless connection (e.g. via the Internet). The self-image and sharing token are transmitted in a message which identifies at least a corresponding biometric attribute (e.g. facial image) and an age-related attribute of the digital identity. For example, the message may comprise one or more database keys which allow these to be identified in a database. The purpose of obtaining the corresponding biometric is to biometrically authenticate the user by comparison with the self-image.

In step S305, the digital identity system 400 uses the message to access the digital identity of the customer 110. The profile comprises an indication of the age of the customer 110, in the form of the above age-related identity attribute.

In step S306, the digital identity system 400 compares the self-image with a corresponding biometric of the digital identity. If these match, the digital identity system 400 provides an age-related attribute to the self-checkout terminal 120 in step S307, using the sharing token as received in the message.

Alternatively, the steps of FIG. 3 may instead be performed between the user's smartphone 300 and a second merchant device, such as a tablet or other hand-held computer device operated by a merchant (e.g. staff member). In this case, the sharing token is captured from the second merchant device.

In the example of FIG. 3 , the self-checkout terminal or second merchant device can automatically determine whether the age requirement is satisfied simply based on the received age-related attribute (on the basis the user's identity has been verified biometrically in the digital identity system 400).

As an alternative to biometric identification in the digital identity system 400, the digital identity system 400 may provide (at step S305) the biometric attribute to the self-checkout terminal 120 or second merchant device with the age-related attribute, and the biometric may be displayed to a merchant who performs a manual identity check. Generally, the most suitable form of biometric for manual verification is a facial image. The facial image may be displayed along with the age-related identity attribute at the self-checkout terminal 120 or the second merchant device. Alternatively, the age-related identity attribute may be used to automatically determine (at the self-checkout terminal 120 or second merchant device) whether the age requirement is satisfied, and the result may be conveyed to the merchant (e.g. the facial image may be displayed with a visual indication that the age requirement is satisfied and/or the facial image may only be displayed for verification in response determining that the age requirement is satisfied, in which case the presence of the facial image indicates that the age requirement is satisfied). Either way, the merchant can then compare the displayed facial image with the person in front of them, and decide whether to authorize the activity based on the facial image (for example, by scanning a merchant identity card and/or entering a personal identification number or other merchant credential at the self-checkout terminal 120).

As an alternative to manual facial verification, a biometric verification process may be performed at the self-checkout terminal 120 or second merchant device using the biometric returned by the digital identity system 400. Any form of biometric (or multiple biometrics) may be used in this context. In this case, a second biometric(s) (e.g. facial image, fingerprint etc.) is captured from the user via a biometric sensor (e.g. camera, fingerprint reader etc.) of the self-checkout terminal 120 or the second merchant device that is compared with a biometric(s) received from the digital identity system 400 in an automated biometric identity verification process.

In the various methods set out above with reference to FIG. 3 , the sharing token is presented at the self-checkout terminal 120 and captured by the user device 300. Each of these methods may alternatively be performed using a sharing token that is instead presented on the user device 300 and captured by the self-checkout 120 or a separate merchant device (e.g. tablet computer). In this case, the sharing token is obtained by the customer 110 and is associated with their identity attributes in the digital identity system 400.

FIG. 4 illustrates one example of an authentication process in which the user 110 provides their sharing token (credential) to a merchant device 52, which may be the self-checkout 120 or a second merchant device (e.g. tablet computer). At step 400, a sharing token 30 is obtained at the user device 300 from the digital identity system 400. The sharing token 30 is associated at the digital identity system 400 with the user's age-related identity attribute and at least one biometric attribute.

To assert their identity, the user causes the sharing token 30 to be displayed or otherwise outputted at the user device 300 e.g., in a visual form such as a 2D or 3D barcode, or as a transmittable binary blob for use with Near Field Communication or similar technology. At step 402, the sharing token 30 is captured from the user device 300 by merchant device 52, and provided to the digital identity system 400 at step 404. The digital identity system 400 validates the sharing token 30 and, if valid, returns the age-related identity attribute to the merchant device 52 at step 406, along with the biometric attribute associated with the user's sharing token 30. The biometric attribute can then be outputted to the merchant for manual verification (who can then manually authorize the restricted activity in the manner described above) or used in an automated biometric identity verification process performed at the merchant device 52 in the manner described above.

In an alternative or additional example, the user 110 may be able to select, at the self-checkout 120, whether to verify their age using the age detection mechanism or the further age verification process by sharing an age-related identity attribute as a first instance. The user 110 may be presented with selectable options on the touchscreen 122 at the self-checkout terminal 120 for each of the possible age verification processes (e.g. in an initial menu screen presented at the self-checkout terminal 120). The user 110 selects one of the options to implement the age verification process.

For example, the user may be presented with two selectable options: the first for using the using the age detection mechanism as described with reference to FIG. 2 , and the second for sharing an age-related identity attribute as described with reference to FIG. 3 or FIG. 4 . In embodiments in which the process of FIG. 3 or FIG. 4 is carried out between the user device 300 and a second merchant device, the latter may cause the merchant to be notified (e.g. by triggering a visual alert at the self-checkout terminal 120), and the merchant may then initiate the process of FIG. 3 or FIG. 4 on the second merchant device (e.g. handheld tablet device). Other options may be presented in addition or alternatively to the user. For example, there may be another user selectable option for verifying age manually by showing a physical identity document to an employee.

When the user 110 selects one of the options, the selection age verification mechanism is initiated. If the user 110 fails to satisfy the requirements of the selected age verification mechanism, anther age verification mechanism may be initiated automatically, or the user 110 may be presented with the options again for selecting an alternative age verification mechanism. Alternatively, the merchant may be required to intervene at this point, e.g. to authorize a different age verification mechanism.

Although described with reference to self-checkouts in particular, it is understood that the systems and methods described herein could also be applied to normal (non-self) checkouts to alleviate the requirement of the cashier performing an age verification check every time a customer attempts to purchase an age-restricted product. The above examples can be implemented in any context where age-verification is required, such as making online purchases, or accessing age-res

In accordance with a first aspect of the present disclosure, there is provided a method of authorizing the performance at a computer terminal of an age-restricted activity, the method comprising the following steps, implemented in an image processing system: receiving image data of at least one image captured at the computer terminal; processing the image data of the at least one image to determine whether performance of the age-restricted activity is authorized, by: detecting a structure in the at least one image having human characteristics; determining an estimated human age based on the human characteristics; and determining whether the structure in the at least one image exhibits at least one liveness characteristic indicating the human characteristics from which the estimated human age is determined have been captured directly from a living human at the computer terminal; and wherein said determination is positive if the estimated human age meets a predetermined age requirement and the structure is determined to exhibit at least one liveness characteristic, and negative if: i) the estimated human age does not meet the predetermined age requirement; and/or ii) the structure is not determined to exhibit at least one liveness characteristic.

Thus, a positive determination is only made if the system is sufficiently confident that the human characteristics have been captured directly from a living human that meets the age requirement (as opposed to, e.g. a photograph of an older person presented by the user in a spoofing attempt).

In embodiments, the method may comprise initiating a further age verification procedure in the case that the determination is negative.

The further age verification procedure may comprise: receiving an age-related identity attribute associated with a user of the computer terminal, and verifying a source of the age-related identify value.

If the determination is negative, an alert may be outputted in response.

The at least one liveness characteristic may indicate the structure is three-dimensional.

The at least one liveness characteristic may comprise a physiological signature.

The physiological signature may be a heartbeat detected from skin colour changes in the at least one image.

The camera is a thermal imaging camera.

The at least one image may be a video image.

The method may comprise a step of providing an output at the computer terminal, wherein the liveness characteristic is an expected response to the output.

The output may be randomised.

The method may be performed in response to determining that a user is attempting to purchase an age-restricted item.

The age-related identity attribute may be obtained by: outputting at the computer terminal a code for capturing at a user device, the code associated with the computer terminal; receiving at the digital identity system a message which includes the code as captured at the user device; accessing a digital identity comprising the age-related attribute based on the message and using the code to transmit the age-related attribute to the computer terminal.

The verification step may comprise verifying the age-related identity attribute has been captured from an authentic identity document.

In accordance with another aspect disclosed herein, there is provided a method of estimating an age of a user, the method comprising the following steps, implemented in an image processing system: receiving at least one thermogram captured at a computer terminal; processing the at least one thermogram by: detecting a structure in the at least one thermogram having human characteristics; determining an estimated human age based on the human characteristics.

Detecting a structure in the at least one thermogram having human characteristics necessarily implies that a living human is present because such characteristics are only identifiable due to temperate differences across the image. A (non-living) picture of a human does not exhibit such temperature variations. That is, presence of human characteristics in a thermal image implies liveness without needing to perform an explicit separate liveness test.

Another aspect of the invention provides an image processing system comprising an input configured to receive image data of at least one image captured at the computer terminal; and one or more processors configured to apply an of the steps disclosed herein to the image data,

The input may be in the form of a network interface for receiving the image data from the computer terminal, which is remote from the image processing system.

A computer terminal may be provided, which comprises: an image capture device for capturing images; and the image processing system which is configured to apply the above steps to image data of an image captured by the image capture device.

Another aspect of the invention provides a computer program product comprising computer-executable code embodied on a computer-readable storage medium configured so as when executed by one or more processing units to perform any of the steps disclosed herein.

Whilst the above has been described in terms of specific embodiments, these are not exhaustive. The scope is not limited by the described embodiments but only by the following claims. 

1. (canceled)
 2. A computer-implemented method of authorizing performance of an age-restricted activity at a computer terminal, the method comprising: capturing, from a user device of a user, a sharing token; providing the sharing token to a digital identity system, the digital identity system storing an age-related identity attribute associated with the user, wherein the digital identity system is configured to validate the sharing token; and receiving, from the digital identity system, a message, wherein receipt of the message indicates that the sharing token is valid.
 3. The method of claim 2, wherein the method further comprises: rendering, on a display of the computer terminal, the age-related identity attribute associated with the user.
 4. The method of claim 2, wherein the method further comprises: determining, at the computer terminal, that the user satisfies an age requirement associated with the age-restricted activity.
 5. The method of claim 4, wherein the method further comprises rending an indication that the user satisfies the age requirement at a display of the computer terminal.
 6. The method of claim 2, wherein the message received from the digital identity system comprises the age-related identity attribute associated with the user.
 7. The method of claim 2, wherein the sharing token is associated with an age-related identity attribute associated with the user.
 8. The method of claim 2, wherein the method further comprises: rendering a user interface at a display of the computer terminal, wherein the user interface comprises a user selectable option for initiating sharing of the age-related attribute; receiving a user input at the user interface; and determining that the received user input selects the user selectable option for initiating sharing of the age-related attribute; wherein the sharing token is captured in response to determining that the user has selected the user selectable option, thereby initiating the sharing of the age-related attribute.
 9. The method of claim 2, wherein the method further comprises: receiving an image of the user at the computer terminal, the image received in the message from the digital identity system; and rendering the image of the user at a display of the computer terminal.
 10. The method of claim 2, wherein the method further comprises, at an image processing system: receiving image data of at least one image captured at the computer terminal; processing the image data of the at least one image to determine whether performance of the age-restricted activity is authorized, by: detecting a structure in the at least one image having human characteristics; determining an estimated human age based on the human characteristics; and determining whether the structure in the at least one image exhibits at least one liveness characteristic indicating the human characteristics from which the estimated human age is determined have been captured directly from a living human at the computer terminal, said determination being positive if the estimated human age meets a predetermined age requirement and the structure is determined to exhibit at least one liveness characteristic, and negative if: i) the estimated human age does not meet the predetermined age requirement; and/or ii) the structure is not determined to exhibit at least one liveness characteristic.
 11. The method of claim 10, wherein the sharing token is captured in response to the determining that the structure in the at least one image does not exhibit at least one liveness characteristic.
 12. The method of claim 10, wherein the method further comprises: rendering a user interface at a display of the computer terminal, wherein the user interface comprises a user selectable option for initiating estimating age and determining liveness of the user; receiving a user input at the user interface; and determining that the received user input selects the user selectable option for initiating estimating age and determining liveness of the user; wherein the image is captured and provided to the image processing system in response to determining that the received user input selects the user selectable option for initiating estimating age and determining liveness of the user.
 13. The method of claim 2, wherein the sharing token is a QR code.
 14. The method of claim 2, wherein the age-related identity attribute is verified by the digital identity system based on capturing the age-related identity attribute from a physical identity document.
 15. A computer terminal comprising: a token capturing device for capturing a sharing token; one or more processors; and computer-readable storage medium storing a computer program product which, when executed on the one or more processors, causes the computer terminal to: capture, from a user device of a user, a sharing token using the token capture device; provide the sharing token to a digital identity system, the digital identity system storing an age-related identity attribute associated with the user, wherein the digital identity system is configured to validate the sharing token; and receive, from the digital identity system, a message, wherein receipt of the message indicates that the sharing token is valid.
 16. The computer terminal of claim 15, wherein the token capture device is an image capture device.
 17. One or more non-transitory computer readable media comprising computer-executable code that when executed by a computing system including one or more processors the system to: capture, from a user device of a user, a sharing token using the token capture device; provide the sharing token to a digital identity system, the digital identity system storing an age-related identity attribute associated with the user, wherein the digital identity system is configured to validate the sharing token; and receive, from the digital identity system, a message, wherein receipt of the message indicates that the sharing token is valid. 